For infosec professionals in sectors with a long history of cybersecurity governance, this may not seem earth-shattering news. But these measures are milestone developments in maritime cybersecurity.
Sea change in awareness
On June 16th 2017, the Maritime Safety Committee (MSC) of the United Nations’ International Maritime Organization (IMO) adopted a brief but significant resolution, MSC.428(98), “to raise awareness on cyber risk threats and vulnerabilities to support safe and secure shipping, which is operationally resilient to cyber risks”. The IMO committee had already approved an unreleased draft of guidelines for cyber risk management, MSC-FAL.1/Circ.3.
By the time those guidelines were published a few weeks later, the world’s largest integrated shipping and container logistics company, Maersk, had been devastated by a massive cyberattack. On June 27th, 2017, in ports around the globe, the company’s operations ground to a halt as the NotPetya malware ravaged IT systems. The fact that Maersk would later be assessed as “collateral damage”, rather than an intended target of the cyber-attacks, merely underscored how vulnerable and unprepared the maritime sector was.
The IMO resolution is referred to as “IMO 2021”, as it called for an implementation period that would expire on January 1st, 2021. Four years later, what progress has been made towards the goals of IMO 2021, and what challenges remain in maritime cybersecurity?
Dr. Gary C. Kessler, an independent consultant and practitioner in the areas of maritime cybersecurity, as well as the author of Maritime Cybersecurity: A Guide for Leaders and Managers, noted that PNT (position, navigation, timing) issues were just starting to become publicized in 2016, and that CEOs of maritime companies and ports did not look at cyberattacks as an existential threat. “The industry was just starting to talk about these problems five years ago, but it was far from mainstream.”
But now he told me that, in his opinion, the industry has reached a point of fully understanding that cyber is a major threat. “You can hardly have a meeting related to any aspect of the MTS without some discussion of cybersecurity… IMO 2021 certainly was a wake-up call for the industry. More organizations and agencies have cyber plans.”
With respect to raising awareness on cyber risk, IMO 2021 seems to have been a success, though Maersk’s NotPetya nightmare may deserve some of the credit.
Standards, frameworks and guidelines, al dente?
In addition to creating awareness, IMO 2021 called for more detailed guidelines from maritime NGOs and [IMO] member governments. A profusion of new guidelines poured forth from an alphabet soup of organizations, including the:
- Baltic and International Maritime Council (BIMCO)
- Comité International Radio-Maritime (CIRM)
- Cruise Line International Association (CLIA)
- Digital Container Shipping Association (DCSA)
- International Chamber of Shipping (ICS)
- International Association of Dry Cargo Shipowners (INTERCARGO)
- International Association of Independent Tanker Owners (INTERTANKO)
- Oil Companies International Marine Forum (OCIMF)
- International Union of Marine Insurance (IUMI).
While this is better than not having any standards and guidelines, Cris De Witt, founder of operational technology cybersecurity company Cyber Mariner, described to me the resulting tangle as a kind of governance “spaghetti”. DeWitt, whose clients range from operators of offshore [oil and gas] to cruise ships and container vessels, thinks that “some of these standards organizations need to collaborate [so that] the end receiver of their dog food doesn’t have to comply with so many compliance regimes. It’s daunting what they have to do in this regard.”
In January, the U.S. government publicly announced its National Maritime Cybersecurity Plan (NMCP), which is divided into three parts:
1. Risks and Standards
2. Information and Intelligence Sharing
3. Create a Maritime Cyber Security Workforce
The Risk and Standards section addresses the issue of establishing guidelines for the sector in the U.S. It notes that “more than 20 Federal government organizations currently have a role in maritime security,” and that “common cybersecurity standards however, do not exist and are not consistent across Maritime Transportation Security Act (MTSA) and non-MTSA regulated facilities.”
Yet, after acknowledging the dilemmas created by bureaucratic overlaps and the aforementioned guideline “spaghetti”, the NMCP proceeds to call for the creation of a new reporting guidance for maritime stakeholders, a new framework for port cybersecurity assessments, and a new U.S.-led international port OT risk framework.
These guidelines would be in addition to the directives issued by the United States Coast Guard over the past year: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities (NVIC 01-20) and Vessel Cyber Risk Management Work Instruction (CVC-WI-027(2)).
DeWitt remains hopeful that technical – rather than bureaucratic – solutions may be found. “On the horizon are tools that possibly negate the policy spaghetti, and ‘map’ one compliance regime to another in a way the worker bee, the FSO, ETO, Captain, IT person… can reasonably and practically implement.”
Cliff Neve, COO at MAD Security and a retired U.S. Coast Guard officer with 26+ years of experience, frames the governance discussion in a different, blunter perspective.
“NVIC 01-20 is a start, and it’s moving the needle a little bit in industry on the policy and exercise side. The problem is that it’s not prescriptive enough. The job aids say nothing about firewalls, vuln scans, log management, event correlation, or anything else that actually results in a secure operating environment,” he noted.
“It’s almost as though the powers that be think that the Russians, Chinese and other adversary nation states are going to be deterred because someone has a cyber annex in their Facility Security Plan. I see people updating their documents but not making their systems more secure.”
Ultimately, progress hinges on workforce development. There simply aren’t enough skilled personnel who, like Neve or DeWitt, have the unique combination of expertise in both maritime OT and cybersecurity necessary to bring organizations into alignment with best practices.
Chris Carter, a cybersecurity professional at a port facility in the U.S. Pacific Northwest, s that in his experience, only about half of deep water NW ports have dedicated, in-house IT staff, and he estimates that perhaps only half of those have dedicated cybersecurity personnel. Furthermore, he explains, the problem can’t be solved through outsourcing to general IT services firms, because ports would have to rely on MSPs that may not be versed on the aspects of maritime / port cybersecurity.
Dr. Kessler, who taught in the U.S. Coast Guard Academy’s new “Cyber Systems” program during its inaugural semester in 2019, echoed the challenge of workforce development.
“We are still waiting for maritime academies to recognize cyber as necessary coursework… Academia needs to take a lead and the institutions teaching the next generation of professional mariners have to be out there in front,” he noted.
The NMCP addresses maritime cybersecurity workforce development and sets three priorities for the U.S. government.
The first sets a goal of producing “cybersecurity specialists in port and vessel systems” and calls for “investment, common training, and a sustainable career path to develop and incentivize cyber professionals”. The second requires the U.S. Navy, Coast Guard, and Department of Homeland Security (DHS) to “pursue and encourage cybersecurity personnel exchanges with industry and national laboratories, with an approach towards port and vessel cybersecurity research and application.“
“Priority Action 3”, however, acknowledges that in the short-term, “Federal maritime cybersecurity forces exist, but are not sufficiently staffed, resourced, and trained to monitor, protect, and mitigate cyber threats across the maritime Sector.” The plan, therefore, directs the U.S. Coast Guard to fill the gap by deploying “field cyber protection teams to support federal maritime security coordination of MTSA-regulated facilities and aid in marine investigations, as required.”
Cyber threat intelligence: A cart before a horse?
The topic of cyber threat intelligence (CTI) occupies roughly a third of the NMCP. It also generates a significant divergence of opinion among maritime cybersecurity experts.
Carter, who also serves on the Board of Directors for the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC), says that relationships he has established with members of the MTS-ISAC community, along with the contacts he was able to establish at DEF CON Hack the Sea, have become invaluable, and that they are finding successes working with each other.
“We are now seeing localized information exchanges launch that feeds into the larger MTS-ISAC, which will only better protect the maritime sector. I have personally shared half-million elements over five years,” he noted.
Dr. Kessler, on the other hand, says that there’s a need for better and more uniform information sharing of cyber intelligence.
“The ISAC/ISAO model is wonderful if you’re a member. In the late 1990s, the ISACs freely shared information. Today, the model is that you have to pay to be a member. I fully understand that the ISCAs need to be funded but the entire maritime transportation system is at risk, and that includes small operators, small manufacturers, and so on,” he added.
In a section on “Information and Intelligence Sharing”, the NMCP recognizes that “organizations such as Information Sharing and Analysis Centers provide a pathway to share information across the private and public sector coordinating Councils.” It also points out, however, that “multiple private sector entities claim to be the information-sharing clearinghouse for MTS stakeholders. Overlapping membership across cybersecurity information sharing organizations creates barriers to efficiently inform MTS stakeholders of maritime cybersecurity best practices or threats.”
An additional consideration is that not all organizations in the sector are at a sufficient state of cybersecurity maturity to leverage access to CTI. Organizations that do not have adequate understanding of their environment or capabilities to monitor their network and respond to events when they are detected are unlikely to benefit from access to third-party intelligence products. Those limited resources may be better dedicated to basic cybersecurity hygiene and workforce development.
Four years after NotPetya struck Maersk, and the IMO adopted MSC.428(98), the single greatest challenge facing cybersecurity in the maritime industry seems to be best summarized as “leadership”.
“Policy and regulation are good but any company that is waiting to be forced into implementing strong cyber defenses by regulators, legislators, and insurers is not competently managing their company,” Kessler noted.
Cliff Neve remarked that the single biggest challenge that his clients (including maritime clients) face is lack of leadership involvement in cybersecurity risk management. “I will be crystal clear that the problem my clients face is never technical: it is always a leadership or political issue.”